Tag Archive for: Formbook

Attackers bypass Microsoft patch to deliver Formbook malware

/in


Sophos Labs researchers have detected the use of a novel exploit able to bypass a patch for a critical vulnerability (CVE-2021-40444) affecting the Microsoft Office file format.

The attackers took a publicly available proof-of-concept Office exploit and weaponized it to deliver Formbook malware. The attackers then distributed it through spam emails for approximately 36 hours before it disappeared.

From CAB to “CAB-less” exploit to bypass the patch for CVE-2021-40444

The CVE-2021-40444 vulnerability is a critical remote code execution (RCE) vulnerability that attackers can exploit to execute any code or commands on a target machine without the owner’s knowledge. Microsoft released an urgent mitigation followed by a patch in September. A few days later, the company shared how attackers have been exploiting the flaw to deliver custom Cobalt Strike payloads.

Sophos researchers found the 36 hours-campaign featuring the new exploit in late October. They discovered that attackers have reworked the original exploit by placing the malicious Word document inside a specially crafted RAR archive. The newer, “CAB-less” form of the exploit successfully evades the original patch.

CVE-2021-40444 patch bypass

Sophos data shows that the amended exploit was used in the wild for around 36 hours. According to the researchers, the limited lifespan of the updated attack could mean it was a “dry run” experiment that might return in future incidents.

“In theory, this attack approach shouldn’t have worked, but it did,” said Andrew Brandt, principal threat researcher at Sophos.

“The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet file. When Microsoft’s patch closed that loophole, attackers discovered a proof-of-concept that showed how you could bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch’s remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault tolerant and doesn’t appear to mind if the archive is malformed, for…

Source…

Cyber Security Today, Sept. 13, 2021 – The REvil ransomware gang is back, a new botnet is discovered and Formbook malware rises

/in


The REvil ransomware gang is back, a new botnet is discovered and Formbook malware rises.

Welcome to Cyber Security Today. It’s Monday September 13th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.

 

Bad news on the ransomware front: The REvil ransomware gang is definitely back. There was some uncertainty about that last week when after two months of silence the data leak and payment websites of the gang were re-activated. No new victims were listed at that point. However, on Saturday the Bleeping Computer news service reported the gang has published screenshots of stolen data of a new victim. Why the gang was away isn’t clear. Some security researchers suspected that REvil was worried about being tracked by police after news spread internationally of its attack on Kaseya during the summer. A post on a criminal website suggested the gang worried that one of its members had been arrested, so it turned its servers off. A more recent post claimed the gang just wanted a break. It doesn’t matter. No matter who the gang is IT and security leaders have to be ready for ransomware attacks.

A new botnet that launches huge denial of service attacks has been discovered. A Russian cybersecurity firm called Qrator and the Yandex search engine believe more than 200,000 compromised network devices such as routers, gateways and switches are involved. One of the victims was Yandex. Dubbed the Meris botnet, many of the compromised devices are manufactured by a Latvian company called MikroTik. MicroTik says many of the devices were compromised in 2018 when its RouterOS operating system had a vulnerability. That vulnerability was quickly patched. But MikroTik says device operators have to change their passwords as well as apply the patch. On the other hand the Qrator/Yandex report says many of the compromised devices have newer versions of the MikroTik operating system.

A denial of service attack is like someone pounding on a company’s front door, except the front door is a website. Crooks launch denial of service attacks on victim companies to make their websites unavailable, then demand payment to stop. Huge attacks by this botnet have been launched…

Source…

Remotely hosted objects used to spread Formbook malware

/in

  1. Remotely hosted objects used to spread Formbook malware  SC Magazine

  2. New Distribution Method Makes FormBook Malware More Insidious  http://totalsecuritydailyadvisor.blr.com/ (press release) (blog)

    3. Full coverage

malware news – read more